In general it is the concept of sending from a particular domain in a
format that the infrastructure on that domain will not send.
A really easy to grasp concept: I know that example.com's mail server
always adds a X-Yup-We-Sent-It: True header, so I will consider anything
claiming to be coming from example.com but missing that header to be
suspicious.
Similar to messages with a header indicating they were written in a
client but yet formatted in a way that that client does not produce.
On 2019-11-01 10:55, Axb wrote:
What is a "faked mail" ?
On 11/1/19 3:15 PM, Joseph Brennan wrote:
MALFORMED_FREEMAIL is a meta on:
(MISSING_HEADERS||__HDRS_LCASE) && FREEMAIL_FROM
So that and MISSING_HEADERS itself add up to 3.0 points. This seems high.
We rejected a message from gmail that hit MALFORMED_FREEMAIL and
MISSING_HEADERS, and a few other low-scoring things. Because it was
rejected I do not have the message. I believe the sender tried to BCC a
group of people. If I recall correctly MISSING_HEADERS, which refers only
to the To: header, hits when To: exists but is blank. People (ab)using
BCC
instead of a list for legit mail is not that uncommon.
The case with __HDRS_LCASE strikes me as very different and much more
likely to be faked mail. I don't know of any freemail providers that
write
header names in all lower case. A check against the corpus obviously
needs
to back up my guess but I think I'm right.
